Security researchers have managed to extract the secret key used by Intel CPUs to encrypt updates and the effects of their discovery could be wide reaching.
With the key in hand, it’s now possible to decrypt the microcode updates Intel releases to patch security vulnerabilities and other bugs. This could potentially even allow hackers to release chip updates with their own microcode though they wouldn’t be able to survive a system reboot.
Independent researcher Maxim Goryachy along with researchers Dmitry Sklyarov and Mark Ermolov from Positive Technologies made the discovery by leveraging a critical vulnerability Ermolov and Goryachy found in the Intel Management Engine back in 2017.
Goryachy provided further insight on the research team’s latest discovery in a direct message to Ars Technica, saying:
“At the moment, it is quite difficult to assess the security impact. But in any case, this is the first time in the history of Intel processors when you can execute your microcode inside and analyze the updates.”
Chip Red Pill
Three years ago Goryachy and Ermolov discovered a critical vulnerability in the Intel Management Engine, indexed as Intel SA-00086, that allowed them to execute any code they wanted inside the dependent core of Intel’s CPUs. While the chip giant released a patch fixing the bug, it could still be exploited as CPUs can be rolled back to an earlier firmware version without the fix.
Earlier this year, the research team was able to use the vulnerability they found to unlock a service mode embedded in Intel chips called “Red Unlock” which is used by its engineers to debug microcode. Goryachy, Ermolov and Sklyarov then named their tool for accessing the debugger Chip Red Pill in a reference to The Matrix.
By accessing one of Intel’s Goldmont-based CPUs in Red Unlock mode, the researchers were able to extract a special ROM area called MSROM (microcode sequencer ROM). They then reverse engineered the chip maker’s microcode and following months of analysis, were able to extract the RC4 key used by Intel in the update process. However, the researchers were not able to discover the signing key used by Intel to cryptographically prove whether an update is authentic or not.
In a statement, Intel officials downplayed the team’s discovery while reassuring users that their CPUs are safe from potentially malicious chip updates, saying:
“The issue described does not represent security exposure to customers, and we do not rely on obfuscation of information behind red unlock as a security measure. In addition to the INTEL-SA-00086 mitigation, OEMs following Intel’s manufacturing guidance have mitigated the OEM specific unlock capabilities required for this research. The private key used to authenticate microcode does not reside in the silicon, and an attacker cannot load an unauthenticated patch on a remote system.”
Goryachy, Ermolov and Sklyarov’s discovery may not be able to be used by hackers but for security researchers it could be a real help as they’ll now be able to analyze Intel’s microcode patches to see how the company fixes bugs and security vulnerabilities.
Via Ars Technica